In today’s digital world, we rely on passwords to protect our sensitive information from the increasing threat of cyber-attacks, identity theft, and data breaches. But are your passwords the best they can be? Do you need good password ideas?
You’ve come to the right place! In this blog, we will outline 11 strategies to come up with good password ideas that are actually secure. Meanwhile, the best passwords are the ones you actually use, so several of these tips cover picking passwords that are not only strong, but memorable as well. Finally, selecting a strong password is only the beginning, so we go over ways to keep your passwords secure in the long term, such as using 2 factor authentication and password managers.
Here at IOFLOOD, we’re proud to use best practices when securing our own services and our customer’s dedicated servers. Whether you’re securing a dedicated server, your email account, or your World of Warcraft character, these password best practices can keep your accounts and data safe and secure. So, let’s dive in and learn how to protect ourselves and our data from would-be hackers.
TL;DR: What makes a good password?
A strong password is long and difficult to guess.
Use numbers and special characters.
Avoid dictionary words and simple patterns.
Use a different password for every service you login to.
Don’t tell anyone your passwords.
Use 2 factor authentication whenever possible.
A password you can remember is one you can use.
Password managers can help you more easily follow these best practices.
Continue reading to learn the details of these strategies and more.
1: Length Matters
The length of your password plays a significant role in its security. Simply put, the longer your password is, the harder it becomes for an attacker to crack it through a brute-force attack. In a brute-force attack, the hacker systematically attempts every possible combination of characters until they find the correct one. Naturally, the more characters your password has, the more time-consuming and resource-intensive it becomes for the attacker to crack.
As a general guideline, it’s recommended to have a minimum password length of 12 characters. However, it’s best to go beyond that: better is 14 or more characters. Remember, every additional character exponentially increases the time required for a brute-force attack, so longer is definitely better.
2: Use a Mix of Character Types
Incorporating a mix of character types (uppercase, lowercase, numbers, and symbols) in your password not only makes it more difficult for an attacker to guess but also increases its entropy. Entropy, in the context of password strength, refers to the level of randomness and unpredictability in a password. The higher the entropy, the stronger the password.
Let’s look at two examples:
The stronger password uses a mix of character types, making it much more secure than the weak password. By incorporating uppercase and lowercase letters, numbers, and symbols, you create a password with higher entropy, which translates to a more secure password.
3: Avoid Common Patterns and Predictable Sequences
When creating a password, it’s essential to avoid common patterns and predictable sequences that make it easy for hackers to crack your password. These patterns might include using your name, pet’s name, or simple number sequences like
Hackers commonly use “dictionary attacks” to guess passwords, with every conceivable meaningful sequence of characters included. Even using a “dictionary” that includes 1 million words, phrases and patterns, is much faster than guessing every possible character in a fully randomized password. Therefore it is extremely important to pick a password that is not likely to be in any such database. 5 unrelated words strung together is unlikely to be in this type of “dictionary”, but a single word plus a couple of numbers will be in there for sure.
To create a unique and unpredictable password, try to come up with a combination of characters that don’t follow any discernible pattern. You can use a random assortment of letters, numbers, and symbols or think of a unique phrase that’s meaningful to you but wouldn’t be easily guessed by someone else.
For example, instead of using your pet’s name followed by your birth year, try combining the first letters of the titles of your favorite books or movies, followed by a memorable date or number. This way, you’ll have a password that’s both unique and unpredictable.
4: Use a Password Manager
Password managers are tools designed to help you generate, store, and manage your passwords securely. They can create strong, unique passwords for each of your accounts and store them in an encrypted vault, so you don’t have to remember them all. This way, you can use passwords that are longer and more complex than anything you could possibly remember, because the password manager remembers it for you.
Some popular password managers include LastPass, Dashlane, and 1Password. These tools offer various features, such as password generation, autofill, and synchronization across devices, making it easier to maintain strong password security.
When using a password manager, it’s crucial to choose a strong master password that you can remember, as this will be the key to unlocking your password vault. Be sure to follow the best practices discussed in this guide when creating your master password. Of all the passwords you use, this one should be the longest and most secure, so take the time to carefully consider it and commit it to memory.
5: Don’t Reuse Passwords Across Multiple Services
Reusing passwords across multiple accounts is dangerous habit that can put all of your accounts at risk. One of the most common causes of hacked accounts is due to reused passwords. Every day in the news you hear about a company experiencing a data breach. When this occurs, the username, email address and password you used for that service is now public knowledge. If you use the same login details for other services, it is trivial for even an unskilled hacker to gain access to your other accounts.
To minimize this risk, it’s essential to use different passwords for every service. This is especially critical for your email account(s), as password resets and other login information are commonly sent there. You should use a very different and more secure password for your email address, as well as two factor authentication.
You might be thinking: “How will I remember hundreds of different passwords?” I completely sympathize with this problem. A strong password is not a good password if you can’t remember it and use it. Luckily, there are two good solutions to this problem.
We already discussed using a password manager, which can make it much easier to use a different password for every service. However, this is not always feasible, so it helps to have other tactics at your disposal. Another powerful strategy is to use a customized password variation system, which is our next method for creating strong passwords.
6: Use a Customized Password Variation System
A customized password variation system is a method of creating similar but not identical passwords for different websites or services. This strategy can help you manage and remember unique passwords while still maintaining strong security. I don’t see this powerful strategy discussed often, so think of this as a superpower specifically given to you by IOFLOOD!
For example, you could create a reasonable base password, such as “
F4sterP0pT@nn3r” and then add a unique variation for each website based on its characteristics. One approach is to add a short string of characters derived from the website’s name. Let’s take IOFLOOD.com, for example, which starts with “I”, ends with “D”, and is 7 characters long.
For that website, your unique password might become
"7IDF4sterP0pT@nn3r" or "F4sterP0pT@nn3rID7".
"7ID" or "ID7" to the start or end of the base password, you not only make the password longer, but it is now unique to that website. Best of all, you get these benefits while only needing to remember your base password.
The benefits of using a customized password variation system include limiting the damage caused by a single website’s security breach, as well as making it easier to remember a large number of unique passwords.
7: Use Passphrases
Passphrases are another great way to create secure passwords. A passphrase is a sequence of words or other text that’s used as a password. The main benefit of using passphrases is that they’re typically longer and more memorable than a random string of characters.
To create a strong passphrase, try to come up with a sentence or phrase that’s personal and memorable to you, but unlikely to be easily guessed by someone else. Avoid cliches and common phrases. You can also increase the security of your passphrase by incorporating uppercase and lowercase letters, numbers, and symbols, so long as you can still remember it. As we discussed before, a longer password is better than a more complex one. A 7 word phrase that’s all lowercase is better than a 3 word phrase with special characters in it, so use your best judgement for what you can reasonably remember and type accurately.
For example, a passphrase like
"MyDogLoves2ChaseCats!" is both memorable and secure, as it combines a personal phrase with a mix of character types. It’s also not a cliche or “dictionary phrase”, but is still easy to remember.
A variation of this technique for creating secure passphrases is using a method called diceware. Diceware is so named because it involves rolling dice to generate random words from a predefined word list. By combining several of these random words, you can create a strong and memorable passphrase.
The only downside here is that if the words are not memorable it may be difficult to use longer phrases. Feel free to use the random words as a starting point, editing as necessary to create a meaningful phrase. For example, if your random words are
"television", "car", "chair", "quickly", you might make your passphrase
"drive home quickly so I can sit and watch television".
8: Leverage Two-Factor Authentication
Two-factor authentication (2FA) is an additional layer of security that requires you to provide two forms of identification when logging into an account. Typically, this involves something you know (your password) and something you have (such as a physical token, an SMS code, or an authentication app on your smartphone).
By implementing two-factor authentication, you significantly reduce the likelihood of an attacker gaining access to your account, even if they manage to crack your password. Many online services now offer 2FA, so it’s a good idea to enable this feature whenever possible.
Various forms of 2FA include SMS codes, authenticator apps like Google Authenticator or Authy, and hardware tokens like YubiKey. Each method has its pros and cons, so it’s important to choose the one that best suits your needs and preferences.
9: Employ Mnemonic Devices
Mnemonic devices are memory aids that can help you create memorable passwords. By using a mnemonic, you can generate a strong password that’s easy for you to remember but difficult for others to guess.
One example of a mnemonic device is using the first letters of a memorable phrase or song lyrics to create a password. For instance, the phrase “
To be or not to be, that is the question” could be turned into the password “
Another tip for creating personalized mnemonic devices is to think of a memorable event or story and use the first letters of each word in that story to create your password. This will make your password unique to you and difficult for others to guess.
10: Regularly Update Passwords?
It used to be considered best practice to regularly update your passwords. However, even industry heavyweights like Microsoft no longer recommend this. Think of it this way, if your password gets breached, how soon should you update it? Immediately! Updating your passwords “regularly” is either needlessly frequent, or not nearly soon enough. It is far more important to practice the other methods we discussed for generating good passwords: Use a long, difficult to guess password, use a different password for every service you login to, don’t tell anyone your passwords, and use 2 factor authentication whenever possible.
When should you change your password? It is important to change your password immediately if you suspect it might have been breached, or if you think anyone other than you might have learned it. If this has not happened, then in most situations there is no need to regularly change your password.
If you are responsible for enforcing password security for very sensitive systems, you might still be temped to require regular password changes. It’s best if you can avoid this, as it can lead to users writing down new passwords they can’t remember. A better strategy is to have password audits, where you ensure that the passwords being used by your staff are not on known leaked password lists and are not simple passwords that are easily brute forced. Intrusion detection and alert systems as well as firewalls can let you know if someone is trying to use an employee credential in suspicious circumstances, such as outside of regular business hours or from an IP in another country.
If you absolutely want to enforce regular password changes, it’s best to use this in conjunction with a password manager — this way, nobody has to remember their passwords so there is less risk people will write them down or forget them.
11: Be Aware of Phishing Attacks
Phishing attacks are a significant threat to password security. Cybercriminals use phishing techniques, such as deceptive emails or fake websites, to trick users into revealing their login credentials. Once attackers obtain your password, they can use it to access your accounts and steal your personal information.
To protect yourself from phishing attacks, follow these tips:
- Always double-check the sender’s email address and the website URL to ensure they are legitimate. Phishers will commonly use similarly spelled domain names hoping you won’t notice it’s not exactly right.
- Be cautious with emails requesting personal information or asking you to click on links or download attachments. For example, if you want to go to your bank’s website, type the address in to your browser manually — never click the link in the email. If the notice in the email is legitimate, your bank’s website will give you the same notice information after you login.
- Keep your browser and security software up-to-date to help detect and block phishing attempts.
By following password security best practices and staying vigilant against phishing attacks, you can reduce the risk of falling victim to cybercriminals.
In today’s digital world, maintaining strong password security is more critical than ever. By implementing the 11 methods outlined in this guide, you can create strong passwords, safeguard your accounts, and protect your valuable personal information.
Evaluate your current password habits and make the necessary changes to improve your overall password security. Remember, maintaining strong password security is an ongoing process, and it’s essential to stay updated on the latest best practices to protect yourself from ever-evolving cyber threats.
We hope you found this guide helpful! Don’t hesitate to share your experiences, thoughts, and additional tips in the comments section below. Let’s work together to make the internet a safer place for everyone.
Do You Love Servers?
We Do! We take server security seriously, and if you feel the same, it would be great to work together. IOFLOOD offers unmanaged dedicated servers with helpful support. Email us at support[at]ioflood.com or visit our website at https://ioflood.com to learn more about how we can help you with your hosting needs!